PSIRT Advisory

FortiClient Use of Hard-coded Cryptographic Key

Summary

Use of a hard-coded cryptographic key to encrypt security sensitive data in configuration in FortiClient for Windows may allow an attacker with access to the configuration or the backup file to decrypt the sensitive data via knowledge of the hard-coded key.

Impact

Information Disclosure

Affected Products

FortiClient for Windows below 6.4.0

Solutions

Upgrade to FortiClient for Windows 6.4.0

Acknowledgement

Fortinet is pleased to thank Independent security researcher Gregory Draperi for reporting this vulnerability under responsible disclosure.